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workshop goals 


einformal environment 

ea deeper look into the badge 
esetup development environment 
e modify/recompile CODE 

eopen lab 


gameplay 


e complete tasks, get rewarded 

e4 roots and 4 branches, each with 4 leds 

ewhen task is complete, badge inserted into 
programmer to unlock LED 

ewhen each root is complete, magic happens 

ewhen all roots are complete, even magic happens 
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Du H РА в 2) 
Device Tree ue 
ВЕ Template: DEFCON_China_Badge + || Chip Туре: ЈЕТХ Series’ 
=> FTEEPROM Vendor ID: 0x0403 
=> Chip Details | || овисно: 036015 
=$ USB Device резне | || Product Desc: "DEF CON China 1.0' 
=$ USB 0:0889065 0919 Serial Number: DC308P7V 
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i BH Hardware Specific 
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|| 
|| 


Ргорепу 
ЕТ EEPROM 


Structural representation ofthe contents ofthe EEPROM of an 
IFTDI device 


Word MSB 
: 0083 0403 6015 1000 7DA0 0008 
: 2404 12E8 0000 0000 0000 0404 
: 0000 0000 0000 0000 0000 0000 
: 0000 0000 0000 0000 0000 0000 
: 0000 0000 0000 0000 0000 0000 
: 0000 0000 0000 0000 0000 0000 
: 0000 0000 0000 0000 0000 0000 


0000 2480 
0503 0000 
0000 0000 
0000 0000 
0000 0000 
0000 
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led matrix 


accelerometer 


eST microelectronics LIS3DH 
e3-axis digital output (i2c/SPI) 
• +/- 2,4, 8, 16g range 
einterrupt on motion or free fall 

eused to preserve battery life 
esleep mode @ 10 seconds of 

inactivity 

eRaw values available through 

interactive mode 
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Firmware 


e ARDUINO 

eopen source platform based on easy-to-use 

hw/sw/FW 

eworldwide community of users/contributors 
e90% of FLash (27.6kB), 43% of RAM (887 bytes) 
eloop 

eset power state (battery, usb, usb charger) 

echeck for/process interactive mode 

echeck for/process fpc communication 

e update leds 

esleep until accelerometer interrupt 


arduino cheat sh 


Structure & Flow 


Basic Program Structure 
void setup() { 
// Runs once when sketch starts 


void loop() { 
// Runs repeatedly 


) 


Control Structures 
if (x < 5) ( ... ) else ( ... ) 
while (x < 5) { ... } 
for (int i = 0; i < 10; i++) ( ... ) 
break; // Exit a loop immediately 
continue; // Go to next iteration 
switch (var) { 
case 1: 
break; 
case 2: 
break; 
default: 
) 


return х; 
return; 


// x must match return type 
// For void return type 


Function Definitions 
«ret. type» «name»(«params») 1 ... } 
e.g. int double(int x) (return x*2;} 


Operators 


General Operators 


AUN *+ II 


TEYT 


assignment 

add subtract 
multiply divide 
modulo 

equal to l= not equal to 
less than > greater than 
less than or equal to 
greater than or equal to 

and || ог 

not 


Compound Operators 


increment 

decrement 

compound addition 
compound subtraction 
compound multiplication 
compound division 
compound bitwise and 
compound bitwise or 


Bitwise Operators 
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<< 


bitwise or 
bitwise not 
shift right 


bitwise and | 
bitwise xor - 
shift left > 


Pointer Access 
8 reference: get a pointer 
+ dereference: follow a pointer 


Variables, Arrays, and Data 


Numeric Constants 


Data Types 

boolean true | false 

char -128 - 127, 'a' '$' etc. 
unsigned char 0 - 255 

byte д - 255 

int -32768 32767 
unsigned int 0 - 65535 

word 0 - 65535 

long -2147483648 2147483647 
unsigned long 0 - 4294967295 
float -3.4028e+38 - 3.4028e438 
double currently same as float 
void i.e., no return value 


Strings 
char str1[8] = 
(UA гр а о us; Ty по оо ኣጋ hs 
// Includes \® null termination 
char str2[8] = 
{'A','r','d','u','i','n','o'}; 
// Compiler adds null termination 
char str3[] = "Arduino"; 
char str4[8] = "Arduino"; 
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0b01111011 


0173 
0x7B 
123U 
123L 


123UL 
123.0 
1.23e6 


decimal 

binary 

octal - base 8 
hexadecimal - base 16 
force unsigned 

force long 

force unsigned long 
force floating point 
1.23*10"6 = 1230000 


Qualifiers 


static 
volatile 
const 
PROGMEM 


persists between calls 
in RAM (nice for ISR) 
read-only 

in flash 


Arrays 
int myPins[] = (2, 4, 8, 3, 6); 


int myInts[6]; 
myInts[0] = 42; 


myInts[6] - 12; 


// Array of 6 ints 
// Assigning first 
// index of myInts 
// ERROR! Indexes 
// are 0 though 5 
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Built-in Functions 


Pin Input/Output 
Digital I/O - pins 0-13 Ад-А5 
pinMode(pin, 


[INPUT, OUTPUT, INPUT_PULLUP]) 


int digitalRead(pin) 
digitalWrite(pin, [HIGH, LOW]) 


Analog In - pins Ад-А5 
int analogRead(pin) 
analogReference( 


[DEFAULT, INTERNAL, EXTERNAL]) 


РИМ Out - pins 3 5 6 9 10 11 
analogWrite(pin, value) 


Advanced I/O 

tone(pin, freq Hz) 

tone(pin, freq Hz, duration ms) 

noTone(pin) 

shiftOut(dataPin, clockPin, 
[MSBFIRST, LSBFIRST], value) 

unsigned long pulseIn(pin, 
[HIGH, LOW]) 


Time 
unsigned long millis() 

// Overflows at 50 days 
unsigned long micros() 

// Overflows at 70 minutes 
delay(msec) 
delayMicroseconds(usec) 


Math 
min(x, y) тах(х, y)  abs(x) 
sin(rad) cos(rad) tan(rad) 
sqrt(x) pow(base, exponent) 
constrain(x, minval, maxval) 
map(val, fromL, fromH, toL, toH) 


Random Numbers 

randomSeed(seed) // long or int 
long random(max) // 9 to max-1 
long random(min, max) 


Bits and Bytes 

lowByte(x) highByte(x) 
bitRead(x, bitn) 

bitWrite(x, bitn, bit) 
bitSet(x, bitn) 

bitClear(x, bitn) 

bit(bitn) // bitn: @=LSB 7=MSB 


Type Conversions 
char(val) 
int(val) 
long(val) 


byte(val) 
word(val) 
float(val) 


External Interrupts 

attachInterrupt(interrupt, func, 
[LOW, CHANGE, RISING, FALLING]) 

detachInterrupt(interrupt) 

interrupts() 

noInterrupts() 


m oin 
га ой š 


DIGITAL (PWM) 
ARDUINO UNO 


WWW.ARDUINO.CC - Made in Italy 
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Libraries 


Serial - comm. with PC or via RX/TX 
begin(long speed) // Up to 115200 
end() 

int available() // #bytes available 
int read() // -1 if none available 
int peek()  // Read w/o removing 
flush() 

print(data) println(data) 
write(byte) write(char * string) 
write(byte * data, size) 
SerialEvent() // Called if data гау 


SoftwareSerial.h - comm. on any pin 

SoftwareSerial(rxPin, txPin) 

begin(long speed) // Up to 115200 

listen() // Only 1 can listen 

isListening() // at a time. 

read, peek, print, println, write 
// Equivalent to Serial library 


EEPROM.h - access non-volatile memory 
byte read(addr) 

write(addr, byte) 

EEPROM[index] // Access as array 


Servo.h - control servo motors 
attach(pin, [min uS, max uS]) 
write(angle) // 0 to 180 
writeMicroseconds(uS) 

// 1000-2000; 1500 is midpoint 
int read() // 0 to 180 
bool attached() 
detach() 


Wire.h - I?C communication 

begin() // Join a master 
begin(addr) // Join a slave @ addr 
requestFrom(address, count) 
beginTransmission(addr) // Step 1 
send(byte) // Step 2 
send(char * string) 

send(byte * data, size) 
endTransmission() // Step 3 
int available() // #bytes available 
byte receive() // Get next byte 
onReceive(handler) 
onRequest(handler) 


(сс) (1) (0) by Mark Liffiton 
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version: 2018-08-06 
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source: https://github.com/liffiton/Arduino-Cheat-Sheet/ 
Adapted from: 

- Original: Gavin Smith 

- SVG version: Frederic Dufourg 

- Arduino board drawing: Fritzing.org 


setup development 
environment 


eoe DEFCON China Badge. 2019 | Arduino 1.8.9 Tools Help 


Auto Format 88Т 
Archive Sketch 
Fix Encoding & Reload 


DEFCON_China_Badge_2019 


Manage Libraries... ФФ! 
Serial Monitor 0 38M 
Serial Plotter TEL 
WiFi10 АШ би ር. Updater 


Board: "Arduino Pro or Pro Mini" 
Processor: "ATmega328P (3.3V, 8 MHz)" 
Port: "/dev/cu.usbserial-DC3ZLD8T" 
et Board Info 


ATmega328P (5V, 16 MHz) 
> | V ATmega328P (3.3V, 8 MHz) 
ATmega168 (5V, 16 MHz) 


- ATmega168 (3.3V, 8 MHz) 
Programmer: "Arduino as ISP" > | 


Burn Bootloader 


Arduino Pro or Pro Mini on /dev/cu.usbserial-DC3ZLD8T 


INTERACT w/ BADGE via SERIAL 
MONITOR 


utoscroll Show timestamp |  Nolineending 4 9600 Бай (0 Clear output 


LIBRARIES 


https://github.com/rocketscream/Low-Power 
https://github.com/adafruit/Adafruit LIS3DH 


https://github.com/adafruit/Adafruit Sensor 


LIBRARIES 


https://github.com/marcmerlin/ LED-Matrix 


https://github.com/adafruit/Adafruit-GFX-Librar 


www.codeproject.com/Articles/732646/Fast-digital-I-O-for- 


Arduino 


https://github.com/PaulStoffresen/TimerOne 


install libraries 


code 
modifications 


eled matrix 
e Add #define swap() to .cpp to prevent compiling 
error 
eRemove #defines for DIO2 pinMode and 
digitalWrite 
econflicted with my core code 


explore source code 


eFind flags and figure out how to achieve them 


eenable special badge hacking workshop flag 
е??? 
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Hacking 


www.grandideastudio.com/portfolio/defcon-china-2019- 
badge 


open lad 


thank you Torf corning! 
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